CVE-2021-21643

Name of the Vulnerable Software and Affected Versions Jenkins Config File Provider Plugin versions 3.7.0 and earlier

Description The issue concerns incorrect permission checks in several HTTP endpoints, allowing attackers with global Job/Configure permission to enumerate system-scoped credentials IDs of credentials stored in Jenkins. This can be used as part of an attack to capture the credentials using another vulnerability.

Recommendations For Jenkins Config File Provider Plugin versions 3.7.0 and earlier, update to a version later than 3.7.0 to resolve the issue. As a temporary workaround, consider restricting access to the affected HTTP endpoints to minimize the risk of exploitation. Additionally, ensure that global Job/Configure permission is granted only to trusted users.